Analysis
-
max time kernel
121s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:09
Static task
static1
Behavioral task
behavioral1
Sample
053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.exe
Resource
win10v2004-en-20220112
General
-
Target
053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.exe
-
Size
79KB
-
MD5
6ea0425341ca46dae315c1f38f289b80
-
SHA1
a019504c4923813d6739647af122377c21782422
-
SHA256
053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2
-
SHA512
a1e339accbcdf77a2951c33924201150711e24674a50f40e6e26701bc5d12fba521859f9d971e09a0d21b93b75dbc54fffc30ffa9beeee9d578c85b58fcbf2a6
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 944 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 852 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.exepid process 1704 053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.exe 1704 053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.exedescription pid process Token: SeIncBasePriorityPrivilege 1704 053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.execmd.exedescription pid process target process PID 1704 wrote to memory of 944 1704 053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.exe MediaCenter.exe PID 1704 wrote to memory of 944 1704 053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.exe MediaCenter.exe PID 1704 wrote to memory of 944 1704 053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.exe MediaCenter.exe PID 1704 wrote to memory of 944 1704 053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.exe MediaCenter.exe PID 1704 wrote to memory of 852 1704 053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.exe cmd.exe PID 1704 wrote to memory of 852 1704 053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.exe cmd.exe PID 1704 wrote to memory of 852 1704 053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.exe cmd.exe PID 1704 wrote to memory of 852 1704 053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.exe cmd.exe PID 852 wrote to memory of 1808 852 cmd.exe PING.EXE PID 852 wrote to memory of 1808 852 cmd.exe PING.EXE PID 852 wrote to memory of 1808 852 cmd.exe PING.EXE PID 852 wrote to memory of 1808 852 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.exe"C:\Users\Admin\AppData\Local\Temp\053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\053871aef418858a62b820b47313392dbcba103427a1dfd53def2b0a6c4247f2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4a3a181224775f41171247f253a6860e
SHA163a432e2c0647e6e7900f7d7779c2ab7cf6d9543
SHA2564e0bb1163f4d1ce953dc6709e94d9e2fd585fc44517b738337a54509917c8c66
SHA512120eaf23aee4d4f3eeccefa4ea627f3414aab5e5a3e5c2e57053040ff1f11e5f86fa0094a49355a233f0fbc4c2c04e6d4628d234ef193307c78b6d882e8b04e2
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4a3a181224775f41171247f253a6860e
SHA163a432e2c0647e6e7900f7d7779c2ab7cf6d9543
SHA2564e0bb1163f4d1ce953dc6709e94d9e2fd585fc44517b738337a54509917c8c66
SHA512120eaf23aee4d4f3eeccefa4ea627f3414aab5e5a3e5c2e57053040ff1f11e5f86fa0094a49355a233f0fbc4c2c04e6d4628d234ef193307c78b6d882e8b04e2
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4a3a181224775f41171247f253a6860e
SHA163a432e2c0647e6e7900f7d7779c2ab7cf6d9543
SHA2564e0bb1163f4d1ce953dc6709e94d9e2fd585fc44517b738337a54509917c8c66
SHA512120eaf23aee4d4f3eeccefa4ea627f3414aab5e5a3e5c2e57053040ff1f11e5f86fa0094a49355a233f0fbc4c2c04e6d4628d234ef193307c78b6d882e8b04e2
-
memory/1704-55-0x0000000075F91000-0x0000000075F93000-memory.dmpFilesize
8KB